Wowza Community

Question about Security vulnerability on HTTP Deamon of Wowza Streaming Engine

Dear Wowza Team,

Recently, we are checking the security levels of all applications which we are using and we found some security issues on the HTTP Daemon of Wowza System.

When we scan the HTTP Daemon of Wowza server with Openvas greenbone security tool, we got below messages.

Version of Wowza Streaming Engine: Engine Version 4.1.0 (build 12602)

  • 80/tcp : HTTP negative Content-Length buffer overflow

Severity : High (10.0)

Summary : We could crash the web server by sending an invalid POST HTTP request with a negative Content-Length field.

A cracker may exploit this flaw to disable your service or even execute arbitrary code on your system.

Vulnerability Detection Result : Vulnerability was detected according to the Vulnerability Detection Method.

Vulnerability Detection Method

  • Details: HTTP negative Content-Length buffer overflow (OID: 1.3.6.1.4.1.25623.1.0.11183)

  • Version used: $Revision: 17 $

  • 8086/tcp : Format string on URI

Severity : High (10.0)

Summary : The remote web server seems to be vulnerable to a format string attack on the URI. An attacker might use this flaw to make it crash or even execute arbitrary code on this host.

Vulnerability Detection Result : Vulnerability was detected according to the Vulnerability Detection Method.

Vulnerability Detection Method

  • Details: Format string on URI (OID: 1.3.6.1.4.1.25623.1.0.15640)

  • Version used: $Revision: 998 $

My questions are,

  1. Do you already recognize this issue and fix it?

1.1 If that, which Wowza Version is including the fix?

  1. If not, do you have any plan to fix this issue?

Please advise.

CDNetworks Operation Team

Hi CDNetworks Operation Team,

Thank you for your post. We are looking into this immediately. If possible, could you please email support@wowza.com to open a ticket and include this information?

Thanks,

-Jamie

Please do open a support ticket by sending an email to support@wowa.com. I am trying to duplicate your results and am not able to. I would like to dig deeper into this issue but need your help.

Charlie

Hi,

Thank you for bringing this to our attention. While we are not aware of any security vulnerabilities in the current builds, we have escalated to our Engineering team to review this issue, and will reply with an update shortly.

Michelle